Selection of Source Images Heavily Influences the Effectiveness of Adversarial Attacks

• URL: http://arxiv.org/abs/2106.07141v2
• Date: Wed, 16 Jun 2021 02:32:16 GMT
• Title: Selection of Source Images Heavily Influences the Effectiveness of Adversarial Attacks
• Authors: Utku Ozbulak, Esla Timothy Anzaku, Wesley De Neve, Arnout Van Messem
• Abstract summary: We show that not every source image is equally suited for adversarial examples. It is possible to have a difference of up to $12.5%$ in model-to-model transferability success. We then take one of the first steps in evaluating the robustness of images used to create adversarial examples.
• Score: 2.6113528145137495
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Although the adoption rate of deep neural networks (DNNs) has tremendously increased in recent years, a solution for their vulnerability against adversarial examples has not yet been found. As a result, substantial research efforts are dedicated to fix this weakness, with many studies typically using a subset of source images to generate adversarial examples, treating every image in this subset as equal. We demonstrate that, in fact, not every source image is equally suited for this kind of assessment. To do so, we devise a large-scale model-to-model transferability scenario for which we meticulously analyze the properties of adversarial examples, generated from every suitable source image in ImageNet by making use of two of the most frequently deployed attacks. In this transferability scenario, which involves seven distinct DNN models, including the recently proposed vision transformers, we reveal that it is possible to have a difference of up to $12.5\%$ in model-to-model transferability success, $1.01$ in average $L_2$ perturbation, and $0.03$ ($8/225$) in average $L_{\infty}$ perturbation when $1,000$ source images are sampled randomly among all suitable candidates. We then take one of the first steps in evaluating the robustness of images used to create adversarial examples, proposing a number of simple but effective methods to identify unsuitable source images, thus making it possible to mitigate extreme cases in experimentation and support high-quality benchmarking.

Related papers

• Masked Images Are Counterfactual Samples for Robust Fine-tuning [77.82348472169335]
  Fine-tuning deep learning models can lead to a trade-off between in-distribution (ID) performance and out-of-distribution (OOD) robustness. We propose a novel fine-tuning method, which uses masked images as counterfactual samples that help improve the robustness of the fine-tuning model.
  arXiv  Detail & Related papers  (2023-03-06T11:51:28Z)
• Making Substitute Models More Bayesian Can Enhance Transferability of Adversarial Examples [89.85593878754571]
  transferability of adversarial examples across deep neural networks is the crux of many black-box attacks. We advocate to attack a Bayesian model for achieving desirable transferability. Our method outperforms recent state-of-the-arts by large margins.
  arXiv  Detail & Related papers  (2023-02-10T07:08:13Z)
• ARIA: Adversarially Robust Image Attribution for Content Provenance [25.217001579437635]
  We show how to generate valid adversarial images that can easily cause incorrect image attribution. We then describe an approach to prevent imperceptible adversarial attacks on deep visual fingerprinting models. The resulting models are substantially more robust, are accurate even on unperturbed images, and perform well even over a database with millions of images.
  arXiv  Detail & Related papers  (2022-02-25T18:11:45Z)
• Beyond ImageNet Attack: Towards Crafting Adversarial Examples for Black-box Domains [80.11169390071869]
  Adversarial examples have posed a severe threat to deep neural networks due to their transferable nature. We propose a Beyond ImageNet Attack (BIA) to investigate the transferability towards black-box domains. Our methods outperform state-of-the-art approaches by up to 7.71% (towards coarse-grained domains) and 25.91% (towards fine-grained domains) on average.
  arXiv  Detail & Related papers  (2022-01-27T14:04:27Z)
• Towards Transferable Unrestricted Adversarial Examples with Minimum Changes [13.75751221823941]
  Transfer-based adversarial example is one of the most important classes of black-box attacks. There is a trade-off between transferability and imperceptibility of the adversarial perturbation. We propose a geometry-aware framework to generate transferable adversarial examples with minimum changes.
  arXiv  Detail & Related papers  (2022-01-04T12:03:20Z)
• MEMO: Test Time Robustness via Adaptation and Augmentation [131.28104376280197]
  We study the problem of test time robustification, i.e., using the test input to improve model robustness. Recent prior works have proposed methods for test time adaptation, however, they each introduce additional assumptions. We propose a simple approach that can be used in any test setting where the model is probabilistic and adaptable.
  arXiv  Detail & Related papers  (2021-10-18T17:55:11Z)
• Detecting Adversarial Examples by Input Transformations, Defense Perturbations, and Voting [71.57324258813674]
  convolutional neural networks (CNNs) have proved to reach super-human performance in visual recognition tasks. CNNs can easily be fooled by adversarial examples, i.e., maliciously-crafted images that force the networks to predict an incorrect output. This paper extensively explores the detection of adversarial examples via image transformations and proposes a novel methodology.
  arXiv  Detail & Related papers  (2021-01-27T14:50:41Z)
• Regional Image Perturbation Reduces $L_p$ Norms of Adversarial Examples While Maintaining Model-to-model Transferability [3.578666449629947]
  We show that effective regional perturbations can be generated without resorting to complex methods. We develop a very simple regional adversarial perturbation attack method using cross-entropy sign. Our experiments on ImageNet with multiple models reveal that, on average, $76%$ of the generated adversarial examples maintain model-to-model transferability.
  arXiv  Detail & Related papers  (2020-07-07T04:33:16Z)
• Towards Robust Classification with Image Quality Assessment [0.9213700601337386]
  Deep convolutional neural networks (DCNN) are vulnerable to adversarial examples and sensitive to perceptual quality as well as the acquisition condition of images. In this paper, we investigate the connection between adversarial manipulation and image quality, then propose a protective mechanism. Our method combines image quality assessment with knowledge distillation to detect input images that would trigger a DCCN to produce egregiously wrong results.
  arXiv  Detail & Related papers  (2020-04-14T03:27:35Z)
• Understanding the Intrinsic Robustness of Image Distributions using Conditional Generative Models [87.00072607024026]
  We study the intrinsic robustness of two common image benchmarks under $ell$ perturbations. We show the existence of a large gap between the robustness limits implied by our theory and the adversarial robustness achieved by current state-of-the-art robust models.
  arXiv  Detail & Related papers  (2020-03-01T01:45:04Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.